Detections
Analytics

SUSE SLES12 Security Update : amazon-ssm-agent (SUSE-SU-2026:2468-1)

medium Nessus Plugin ID 321922

Synopsis

The remote SUSE host is missing one or more security updates.

Description

The remote SUSE Linux SLES12 / SLES_SAP12 host has a package installed that is affected by multiple vulnerabilities as referenced in the SUSE-SU-2026:2468-1 advisory.

 This update for amazon-ssm-agent fixes the following issues

 Update to version 3.3.4624.0:

 - CVE-2025-22869: golang.org/x/crypto/ssh: Denial of Service in the Key Exchange of golang.org/x/crypto/ssh (bsc#1239342).
 - CVE-2025-22870: golang.org/x/net/proxy: proxy bypass using IPv6 zone IDs (bsc#1238702).
 - CVE-2025-47913: golang.org/x/crypto/ssh/agent: client process termination when receiving an unexpected message type in response to a key listing or signing request (bsc#1253611).
 - CVE-2026-1229: the CombinedMult function in the ecc/p384 package produces an incorrect value for specific inputs (bsc#1265474).
 - CVE-2026-25934: github.com/go-git/go-git/v5: improper verification of data integrity values for .pack and .idx files can lead to the consumption of corrupted files (bsc#1258095).
 - CVE-2026-39821: golang.org/x/net/idna: failure to reject ASCII-only Punycode-encoded labels allows for validation bypass and privilege esca (bsc#1266781).
 - CVE-2026-41506: github.com/go-git/go-git/v5: HTTP authentication credential leak when following redirects during smart-HTTP clone and fetch operations (bsc#1264952).
 - CVE-2026-44740: github.com/go-git/go-billy/v5: improper input handling in many components can lead to DoS via infinite loops, panics or resource consumption (bsc#1267332).
 - CVE-2026-39827: Invoking memory leak when rejecting channels can lead to DoS in golang.org/x/crypto/ssh (bsc#1266200).
 - CVE-2026-39828: Invoking bypass of certificate restrictions in golang.org/x/crypto/ssh (bsc#1266200).
 - CVE-2026-39829: Invoking pathological RSA/DSA parameters may cause DoS in golang.org/x/crypto/ssh (bsc#1266200).
 - CVE-2026-39830: Invoking client can cause server deadlock on unexpected responses in golang.org/x/crypto/ssh (bsc#1266200).
 - CVE-2026-39831: Invoking bypass of FIDO/U2F security keys physical interaction in golang.org/x/crypto/ssh (bsc#1266200).
 - CVE-2026-39832: Invoking agent constraints dropped when forwarding keys in golang.org/x/crypto/ssh/agent (bsc#1266200).
 - CVE-2026-39833: Invoking key constraints not enforced in golang.org/x/crypto/ssh/agent (bsc#1266200).
 - CVE-2026-39834: Invoking infinite loop on large channel writes in golang.org/x/crypto/ssh (bsc#1266200).
 - CVE-2026-39835: Invoking server panic during CheckHostKey/Authenticate in golang.org/x/crypto/ssh (bsc#1266200).
 - CVE-2026-42508: Invoking auth bypass via unenforced @revoked status in golang.org/x/crypto/ssh/knownhosts (bsc#1266200).
 - CVE-2026-46595: Invoking VerifiedPublicKeyCallback permissions skip enforcement in golang.org/x/crypto/ssh (bsc#1266200).
 - CVE-2026-46597: Invoking byte arithmetic causes underflow and panic in golang.org/x/crypto/ssh (bsc#1266200).
 - CVE-2026-46598: Invoking pathological inputs can lead to client panic in golang.org/x/crypto/ssh/agent (bsc#1266200).

 Changes:

 * Bump golang.org/x/crypto from v0.51.0 to v0.52.0
 * Bump golang.org/x/net from v0.54.0 to v0.55.0
 * Enforce directory boundary in BuildSafePath
 * Fix visibility issue with Bottlerocket OS in document output
 * Update go-git from v5.17.1 to v5.19.1 (bsc#1264952, CVE-2026-41506), this also updates go-billy from v5.8.0 to v5.9.0 (bsc#1267332, CVE-2026-44740)
 * Bump golang.org/x/net from v0.48.0 to v0.53.0 (bsc#1266781, CVE-2026-39821)
 * Quit if sysprep failed and log its current state
 * Remove attached legacy cloudwatch plugin packages
 * Upgrade Go version to 1.25.10
 * Use BuildSafePath wherever it is applicable
 * Add OOM killer protection to systemd service files
 * Apply more sanitation to file and registry inventory gatherers
 * Bump go-git to v5.17.1
 * Deprecate legacy cloudwatch plugin
 * Preserve network error details in credential refresher SSM API failures
 * Upgrade Go version to 1.25.9
 * Add SSM Distributor support for Bottlerocket OS
 * Implement flush credentials command in ssm-cli
 * Log ec2messages access denied as debug instead of error to reduce log noise
 * Make credential refresher refresh cache quickly in case of credential flush
 * Make Greengrass component registration resilient with retry
 * Add EnforceWorkspaceRootOwnership configuration to support disable hardening of agent workspace
 * Add reboot comment to Windows shutdown command for SSM Agent traceability
 * Update privilege access check to verify ownership and permissions of document state files
 * Add read-only version check prior to install and uninstall in case of occupied package manager locks
 * Add ANSI processing for CloudWatch and S3 log
 * Upgrade go-git to v5.17.0 and cloudflare/circl to v1.6.3 to fix CVE-2026-1229
 - Switch to systemd-tmpfiles to store runtime data (jsc#PED-14843)
 * Disable Go 1.25 container-aware GOMAXPROCS to prevent holding cgroup file descriptors open
 * Upgrade Go version to 1.25.8
 * Document CommandWorkerBufferLimit config
 * Include package update in Dockerfile
 * Reduce CloudWatch event message length threshold
 * Upgrade Go version to 1.25.7
 * Update github.com/go-git/go-git/v5 to 5.16.5 (bsc#1258095, CVE-2026-25934)
 * Update greengrass version
 * Update Golang version to 1.24.12
 * Updating golang.org/x/crypto from v0.37.0 to v0.47.0, golang.org/x/net from v0.39.0 to v0.48.0 and golang.org/x/sys from v0.32.0 to v0.40.0 (bsc#1253611, CVE-2025-47913)
 * Categorize integration tests by adding new tags to split fast and slow ones
 * Fix bug where IP field being empty string and causing UII API failure
 * Allow Patch execution to persist across reboots not registered to SSM Agent
 * Fix ENV_VAR interpolation to work correctly with parameter store value
 * Implement immediate retries for failed reply messages to MGS for RunCommand documents
 * Improve ssm-cli get-diagnostics command log output
 * Support DomainJoin endpoint for EU sovereign cloud
 * Support dualstack S3 endpoint for distributor packages
 * Upgrade Go version to 1.24.11
 * Add initial IPv6 support with UseDualStackEndpoint configuration option
 * Fix CPU utilization issue for instances with thousands of network interfaces
 * Add IMDS retry count to account for EC2 droplet refresh
 * Fix duplicate uid error logging in MDS module
 * Update aws:Domainjoin plugin logging from Log4Net to NLog
 * Upgrade Go version to 1.24.7
 * Update github.com/go-git/go-git/v5 to 5.15.0
 * Update golang.org/x/crypto to v0.37.0 (bsc#1238702, CVE-2025-22870)
 * Update golang.org/x/net to v0.39.0
 * Update golang.org/x/sys to v0.32.0
 * Add EU sovereign cloud S3 endpoint for DownloadContent plugin
 * Add configurable credential rotation max backoff interval
 * Migrate from twinj/uuid to google/uuid library
 * Allow newer agent versions to be installed when deploying on Greengrass
 * Harden function to remove non-admin run command documents in execution path
 * Fix macOS credential refresher test issue due to missing Debugf from serialport skip file
 * Enhance testability of custom certificate usage in debug SSM Agent builds
 * Decouple serial port from startup and add credential refresher serialport logging
 * Add GlobalEnhancedTelemetryEnabled config to README
 * Add cloudwatch logs endpoint configuration to optional config for agent
 * Update Greengrass component version
 * Add file privilege check before processing document state file
 * Storing AWS document interpolation ENV_VAR types as environment variables
 * Throw explicit error when running local cli as non-priviledged user
 * Harden telemetry dynamic config folder permissions
 * Add configuration option for HandshakeTimeout
 * Improve unit tests
 * Add setup for emitting telemetry logs and metrics
 * Add initial selection of error logs to emit to telemetry
 * Simplify checkstyle and import organization in build scripts
 * Update golang.org/x/net from v0.37.0 to v0.38.0
 * Agent hibernation reason is logged to EC2 system logs
 * Add metrics for the EC2Detector and IMDS EC2 status findings
 * Change Linux DomainJoin plugin parameter KeepHostName to accept both boolean and string
 * Upgrade GoLang to version 1.23.8
 * Update golang.org/x/crypto from v0.32.0 to v0.36.0 (bsc#1239342, CVE-2025-22869)

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update the affected amazon-ssm-agent package.

See Also

https://bugzilla.suse.com/1238702

https://bugzilla.suse.com/1239342

https://bugzilla.suse.com/1253611

https://bugzilla.suse.com/1258095

https://bugzilla.suse.com/1264952

https://bugzilla.suse.com/1265474

https://bugzilla.suse.com/1266200

https://bugzilla.suse.com/1266781

https://bugzilla.suse.com/1267332

https://lists.suse.com/pipermail/sle-updates/2026-June/047438.html

https://www.suse.com/security/cve/CVE-2025-22869

https://www.suse.com/security/cve/CVE-2025-22870

https://www.suse.com/security/cve/CVE-2025-47913

https://www.suse.com/security/cve/CVE-2026-1229

https://www.suse.com/security/cve/CVE-2026-25934

https://www.suse.com/security/cve/CVE-2026-39821

https://www.suse.com/security/cve/CVE-2026-39827

https://www.suse.com/security/cve/CVE-2026-39828

https://www.suse.com/security/cve/CVE-2026-39829

https://www.suse.com/security/cve/CVE-2026-39830

https://www.suse.com/security/cve/CVE-2026-39831

https://www.suse.com/security/cve/CVE-2026-39832

https://www.suse.com/security/cve/CVE-2026-39833

https://www.suse.com/security/cve/CVE-2026-39834

https://www.suse.com/security/cve/CVE-2026-39835

https://www.suse.com/security/cve/CVE-2026-41506

https://www.suse.com/security/cve/CVE-2026-42508

https://www.suse.com/security/cve/CVE-2026-44740

https://www.suse.com/security/cve/CVE-2026-46595

https://www.suse.com/security/cve/CVE-2026-46597

https://www.suse.com/security/cve/CVE-2026-46598

Plugin Details

Severity: Medium

ID: 321922

File Name: suse_SU-2026-2468-1.nasl

Version: 1.1

Type: Local

Agent: unix

Published: 6/22/2026

Updated: 6/22/2026

Supported Sensors: Nessus Agent, Continuous Assessment, Nessus

Risk Information

VPR

Risk Factor: High

Score: 7.3

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 7.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2026-1229

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

CVSS v4

Risk Factor: Medium

Base Score: 6.3

Threat Score: 2.9

Threat Vector: CVSS:4.0/E:P

Vector: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L

Vulnerability Information

CPE: p-cpe:/a:novell:suse_linux:amazon-ssm-agent, cpe:/o:novell:suse_linux:12

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 6/19/2026

Vulnerability Publication Date: 2/26/2025

Reference Information

CVE: CVE-2025-22869, CVE-2025-22870, CVE-2025-47913, CVE-2026-1229, CVE-2026-25934, CVE-2026-39821, CVE-2026-39827, CVE-2026-39828, CVE-2026-39829, CVE-2026-39830, CVE-2026-39831, CVE-2026-39832, CVE-2026-39833, CVE-2026-39834, CVE-2026-39835, CVE-2026-41506, CVE-2026-42508, CVE-2026-44740, CVE-2026-46595, CVE-2026-46597, CVE-2026-46598

SuSE: SUSE-SU-2026:2468-1